Quantum Key Distribution Using Equiangular Spherical Codes 
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Mutually unbiased bases have been extensively studied in the literature and are simple and effec- 
tive in quantum key distribution protocols, but they are not optimal. Here equiangular spherical 
codes are introduced as a more efficient and robust resource for key distribution. Such codes are 
sets of states that are as evenly spaced throughout the vector space as possible. In the case the two 
parties use qubits and face the intercept/resend eavesdropping strategy, they can make use of three 
equally-spaced states, called a trine, to outperform the original four-state BB84 protocol in both 
speed and reliability. This points toward the optimality of spherical codes in arbitrary dimensions. 
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The possibility of secure key distribution using quantum 
states is by now a well established feature of quantum 
information theory. In the original 1984 proposal of Ben- 
nett and Brassard (BB84) yj, four states of a spin-1/2 
system, the eigenstates of a z and of a x , are used as sig- 
nals by the sender Alice. These states are naturally par- 
titioned into two orthonormal bases from which the re- 
ceiver Bob chooses one at random to measure the sig- 
nal. Because the bases are unbiased — i.e., the overlap 
between vectors from distinct bases is always the same, 
equal to 1/2 for qubits — Bob learns nothing when his 
measurement doesn't correspond to Alice's preparation, 
but everything when it does. The nonorthogonality of 
the states allows Alice and Bob to detect eavesdropping 
by an adversary Eve, so the states form an uncondition- 
ally secure cryptographic protocol . 

One more unbiased basis, the eigenvectors of a y , can 
be added to the BB84 set, forming a new six-state proto- 
col . Unbiased bases can be found in higher dimensions 
as well , and the key distribution protocol has been ex- 
tended to such cases, with increasing dimension leading 
to improved security 0. In these analyses, however, the 
security is not proved to be unconditional, since only par- 
ticular eavesdropping attacks are studied. 

Unbiased bases have been the cornerstone of key distri- 
bution schemes. But are they optimal? For simple eaves- 
dropping strategies, I show here in the qubit case that 
they are not, suggesting that they are not optimal for 
unconditional eavesdropping attacks either. The analysis 
here is based on a more efficient and robust set of states, 
the equiangular spherical codes, also known as Grass- 
mann frames. Analysis of the qubit case reveals a key 
distribution protocol based on three states having equal 
overlap, the trine ensemble, which is both faster and 
more secure than the BB84 protocol when subjected to 
two simple eavesdropping attacks, intercept-resend and 
cloning. This provides compelling evidence that spher- 
ical codes can outperform their unbiased cousins. An 
analysis of spherical codes in higher dimensions will be 



presented in a subsequent paper 

Recall the general setting of quantum key distribu- 
tion. Two parties, Alice and Bob, wish to make use of 
an authenticated public classical channel and an inse- 
cure quantum channel controlled by an adversary Eve 
to establish a secret key for the purposes of encrypt- 
ing and sharing other data. They start with a sequence 
of samples from a given tripartite probability distribu- 
tion shared between the three parties. Alice and Bob 
then proceed to "distill" the key by sharing informa- 
tion based on their individual sequences over the clas- 
sical channel. How exactly this distillation is achieved 
is an information-theoretic problem. However, for eaves- 
dropping strategies in which Eve doesn't directly make 
use of the distillation information, how the probability 
distribution arises in practice and what distributions are 
at all possible are purely questions of physics, and these 
questions are addressed in this paper. 

The probability distribution arises from using the 
quantum channel to send quantum information. Alice 
sends quantum states drawn from a certain signal ensem- 
ble through the channel to Bob, who performs a specific 
measurement (in the case of signaling states drawn from 
mutually unbiased bases, the several measurement bases 
Bob chooses from for his measurement are here amalga- 
mated into a single POVM measurement). Alice and Bob 
fix the signal ensemble and the measurement using the 
public channel. Eve is free to exploit this information 
to mount an attack on their protocol, using her control 
of the quantum channel; she can in principle subject the 
signal states to any physical interaction that she wishes. 
Alice and Bob's goal is to exploit the quantum nature of 
the channel to make Eve's eavesdropping ineffective. 

The relevant probability distribution is the joint prob- 
ability p(ai,bj,ek) of Alice's signal, Bob's measurement 
result, and the result of any measurement Eve performs 
in the course of eavesdropping. Repeated use of the pro- 
tocol yields a sequence of samples drawn from this dis- 
tribution. Alice and Bob, however, must establish which 
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distribution they are sampling from, as it depends on 
Eve's attack. Typically, Eve has some physical setup 
which can give rise to many different distributions as she 
changes the strength of her interference with the chan- 
nel. Given an assumption of the type of attack, Alice and 
Bob determine the extent of Eve's interference by making 
public and comparing a fraction of the Alice's signals and 
Bob's measurement results. Knowing the distribution p, 
they can distill a key of length MR from the remaining 
M samples in accordance with the bounds 

Ie < R< I(A:B\E) , (1) 

where I(X:Y) = H(X) + H{Y) - H(XY) is the mutual 
information of X and Y, H(-) being the Shannon entropy, 
and I E = I (A : B) - min{/(A : E),I(B : E)}. The lower 
bound obtains when the key is distilled using one-way 
communication 0; to progress beyond this requires a 
technique called advantage distillation, though this is of 
limited efficiency 

These bounds provide a method of investigating the 
cryptographic usefulness of a signal ensemble. Given a 
signal ensemble, Bob's measurement, and an assumption 
about the nature of Eve's attack, the probability distri- 
bution can be calculated, and the key rate bounds deter- 
mined. In this way the security of the protocol against 
this attack is established. To say that a protocol is un- 
conditionally secure is to demonstrate its security against 
all possible attacks. 

The focus now turns to Alice's signal ensemble and 
Bob's measurement. An intuitively appealing ensemble is 
a spherical code, a complex- vector-space version of points 
on a sphere whose minimal pairwise distance is maximal. 
The complex version, called the Grassmann packing prob- 
lem, asks for a set of unit vectors in C d whose maximal 
pairwise overlap is minimal 1 1 0M | . When all these pair- 
wise overlaps are equal, this equiangular spherical code is 
called a Grassmann frame; i.e., a set C = {\4>k) € 
for n > d is a Grassmann frame if 

Grassmann frames also arise as the solution to the 
"minimum energy problem." For a set of unit vectors 
C, call V t {C) = £j,fcl(0j|0k)£L the *-th "potential en- 
ergy" of the set of the vectors . The minimum energy 
problem is to find C having n > d elements such that 
Vi = n 2 /d and V% is minimized. Note that n 2 /d is the 
global minimum of V\ . This follows from considering the 
(at most) d nonzero (real) eigenvalues jj of the Gram ma- 
trix Gj k = (<t>j\<t>k)- Clearly J2 k 7fe =n and J2k 7fc = Vi(C). 
These being the equations for a plane and a sphere, the 
minimum of V\ occurs if and only if all the jk are equal to 
n/d, whence V\ is bounded below by n 2 jd. Thus what is 
sought is the set of vectors with the minimum V2 energy, 
given minimum V± energy. 



To find a lower bound for the minimum of V2, let Xjk = 
\(4>j\4>k)\ 2 , and employ the same method again. We have 
immediately that Ylj^k Ajfc = V± — n = n(n — d)/d and 
Yljjtk *jk = V2 — n, whence the minimum of V% over all 
sets minimizing V± is bounded below by making all the 
Xjk the same and given by Eq. When this lower 

bound is achieved, i.e V2 = n 2 (n — 2d + d 2 )/(n — 1), the 
result is a Grassman frame. 

The existence of Grassmann frames isn't known for 
arbitrary n and d, though some general statements can 
be made • They always exist for n — d + 1 (a regular 
simplex), but never when n > d 2 . For n < d 2 , when 
a Grassman frame exists, it is a spherical code, but for 
n > d 2 , spherical codes aren't equiangular. 

By minimizing V±, Grassmann frames automati- 
cally form measurement POVMs, which can be used 
by Bob to detect Alice's signal. This is true be- 
cause S = E/J^X'fel = (n/d)I, so that a POVM 
can be constructed from the subnormalized projectors 
{d/ri)\4>k){4>k\- To see this, fix an orthonormal basis 
{|efc)} and consider the matrix Tjk = {ej\<f>k}- The 
Gram matrix can be written as Gjk = (T'T)jf., while 
Sjk = (TT^)jk, so both have the same eigenvalues. When 
V\ is minimized, these d eigenvalues are all n/d, implying 
that the vectors form a resolution of the identity. 

Such sets are appealing because they are the sets that 
are "least classical" in the following sense Con- 
sider using these quantum states as signals on a clas- 
sical channel as follows. Instead of sending the quantum 
state, Alice performs the associated measurement and 
communicates the result to Bob using a classical chan- 
nel. Bob then prepares the associated quantum state at 
his end. The fidelity of Bob's reconstruction with the in- 
put state, averaged over inputs and measurement results, 
measures how well the classical channel can be used to 
transmit quantum information. This fidelity is dV^/n 2 , 
so among all ensembles which themselves form POVMs, 
Grassmann frames are hardest to transmit "cheaply" in 
this way. Eavesdropping on the communication between 
Alice and Bob makes the channel more classical — Eve is 
essentially trying to copy the signal — so one might expect 
that Grassmann frames are useful in foiling the eaves- 
dropper. 

For the case of qubits, there are only two equiangular 
spherical codes, the trine and the tetrahedron. These 
are named after their Bloch-sphere representation: the 
trine is a set of three equally-spaced coplanar vectors, and 
the tetrahedron is the familiar regular simplex in three 
dimensions. Here we use the following representation of 
the trine states: 

|0 J ) = £!^(|O)+e 2 ^"/3| 1) ) f i = o,L2. (3) 

The task now is to determine key rate bounds for the 
trine protocol and to compare with the original BB84 
scheme. Generically, Bob uses the same Grassmann 



3 



frame to measure as Alice uses to signal. Such a mea- 
surement attempts to confirm which state Alice sent. For 
qubits, however, Bob can construct an "inverted mea- 
surement" from the states \<fij} that are orthogonal to the 
trine states; this measurement attempts to exclude one of 
the possible signal states. By so doing, he increases the 
mutual information of his outcomes with Alice's signals, 
thus improving the prospects for creating a key. This 
strategy doesn't work in higher dimensions, as the or- 
thogonal complement of a signal state isn't a pure state. 

Two eavesdropping attacks are considered here, the 
cloning attack and the intercept-resend attack. Both are 
single-system, incoherent attacks, as opposed to the most 
general many-system, coherent attacks. One feature of 
generic attacks is Eve's ability to control the interaction 
strength of her probe with the signal. To mimic this 
feature in these schemes, Eve intercepts only a fraction q 
of the signals, allowing the rest to pass unmolested. 

Now consider the two attacks in turn. The cloning at- 
tack is simple: Eve attempts to clone the incoming signal 
state as best she can and then makes the same measure- 
ment as Bob on her probe. She implements the unitary 
operator U acting on the signal and her probe state, ini- 
tially in the state |0), which maximizes the average fi- 
delity J2j Krf'jirf'jlUl^jjO)] 2 /n, subject to the constraint 
that all states are cloned equally well. If Eve's attack is 
not symmetric in this sense, Alice and Bob might be able 
to improve their detection by exploiting the asymmetry. 
The resulting distribution for a clone attack is simply 

p(oi,6 Js e fc ) = ^K0i,&|tf|&,O>| 2 . (4) 

To describe varying q, Eve's random variable includes an 
additional value which occurs when she does not imple- 
ment U , in which case the expression for the distribution 
is the same, but with / replacing U . A numerical max- 
imization of U for the trine and the four states of the 
BB84 protocol was carried out using Mathematica's im- 
plementation of the simulated annealing algorithm. The 
trine result is 

/ V2\ 
J_ 1 1 

y/2 1-10 

\0 V2 / 



U = 



(5) 



for a fidelity of (1 + \/2)/4. For BB84, the ±1 a z eigen- 
states are cloned to 



~ ((2±\/2)|00)t«V2(|01) + |10)) + (2tV2)|11; 



(6) 



and the other two cloned states are obtained by the pos- 
itive and negative superpositions of these states. Some- 
what surprisingly, the cloning fidelity for BB84 is the 
same as for the trine. More surprisingly, cloning is use- 
less to Eve in both cases, since the lower key rate bound is 



positive for all values of q. Cloning every signal provides 
Eve as much information as Bob about Alice's string, 
as the cloning procedure turns out two copies of equal 
quality. However, Alice's information about Bob's string 
is still greater than Eve's, so they may use that string 
as the starting point for key distillation. By computing 
the bounds from equation^ it is easily verified that the 
trine ensemble offers higher key generation rates, but as 
cloning is a very weak attack, this conclusion is of little 
force. 

The focus now shifts to the intercept-resend attack. 
This is similar to splicing a classical channel into a quan- 
tum channel, as described above. Eve receives Alice's 
signal, measures it, creates a new quantum state based 
on that measurement, and sends it on to Bob. Due to the 
symmetry of inversion between Alice and Bob's states it's 
best for Eve to include in her measurement both ensem- 
bles. This ensures that her mutual information with Al- 
ice is the same as with Bob. Upon observing a particular 
result, she simply leaves the system in the correspond- 
ing state; thus the joint distribution when q = 1 is quite 
simple: 



p{a,i,bj,e k ) 



K0i|0 fc )l 2 K0fcl^)l 2 o<fc<2 

K0i|0 fc >| 2 K^|^-)| 2 fc<3<5 



(J) 



Again, for varying q, the probability distribution simply 
includes an extra value that occurs when Eve doesn't 
intercept the signal. From this distribution it is easy to 
calculate the key rate bounds and the rate E of additional 
errors, due to Eve's attack, which Alice and Bob observe 
when comparing samples using the public channel. Con- 
sidering the key rate R as a function of the error rate E 
enables a comparison with the same quantities derived 
from the BB84 protocol. Figure 1 shows the upper and 
lower key generation rate bounds for the trine and BB84 
protocols as a function of error rate. By having one fewer 
outcome, the trine is inherently better at information 
transfer between the parties. The lower bound, which 
is more relevant for realistic implementation, shows that 
the trine is also much more secure, tolerating roughly 9% 
error. 

Note that in this analysis, the usual first step in the 
BB84 protocol, i.e., sifting over the public channel to de- 
termine when Bob's measurement basis matches Alice's 
signal basis, cannot be performed for the trine, as there 
is nothing like different bases. Strictly speaking, sifting 
belongs to the key distillation phase of the protocol, so 
it is appropriate to exclude it here. 

This analysis strongly suggests that the trine-based 
protocol might be much more useful for key distribution 
than BB84, but this conclusion is not firm, as the two 
attacks considered are insufficiently general. It is known, 
however, for the BB84 protocol that the intercept-resend 
attack is nearly optimal 0], so it is quite reasonable 
to expect the analysis here to be indicative of the more 
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Key Rate vs Error Rate 
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FIG. 1: Upper (solid) and lower (dashed) key rate bounds as 
a function of error rate for the trine-based and BB84 protocols 
subject to the intercept-resend attack. For each protocol, the 
bounds emanate from the same point on the vertical axis at 
zero error (no eavesdropping) and drop down to zero key rate 
at the largest tolerable error rate on the horizontal axis. The 
trine is both faster (higher key generation rate) and more 
robust (higher tolerable error) than the BB84 protocol. 



general case. 

Recently a strong relationship between secure key dis- 
tribution and entanglement has been identified by consid- 
ering a coherent version of these "prepare-and-measure" 
protocols. Instead of preparing a state and sending it to 
Bob for measurement, Alice prepares a bipartite state, 
ostensibly entangled, and sends half to Bob. Each party 
then measures his or her half, returning the protocol to 
the original picture. In this setting both the upper and 
lower key generation rate bounds can be translated into 
questions of entanglement and nonlocality. From the up- 
per bound, it follows that secure key distribution is possi- 
ble if the corresponding coherent process leaves Alice and 
Bob with a state which is one-copy distillable [lil Hif . 
From the lower bound, it follows that key distribution is 
possible if the bipartite state violates some Bell inequal- 
ity E3. 

Equiangular spherical codes fit nicely into this picture, 
as they can always be realized from maximally entangled 
states. Thus they start on the same footing as unbiased 
bases, for which this is also true. To demonstrate this, 
consider a spherical code C = {\<fik)} and a "conjugate" 
code C* = formed by complex conjugating each 

code state in the standard basis. Then it is a simple mat- 
ter to show that |<I>) = (Vd/n)J2k ^ s maximally 
entangled. Thus if Alice prepares this state and sends 
the second half to Bob, they can realize the "prepare- 
and-measure" scheme by measurement. 

The performance of the trine-based protocol estab- 
lishes the usefulness and suggests the superiority of 
Grassmann frames for key distribution. Extending the 



intercept-resend analysis to higher dimensions is simple, 
if tedious, and is done in detail elsewhere |(J. The result 
is the same: in every dimension, a suitable Grassmann 
frame can be found to outperform the unbiased bases in 
both speed and reliability. 

Physics dictates the distributions that can be realized, 
and information theory determines how to distill a key 
from the data drawn from the distribution. It is impor- 
tant to remember that distillation is relatively straight- 
forward when using unbiased bases. After making many 
measurements, Alice and Bob sift the data to determine 
in which cases they have selected the same basis. Absent 
any eavesdropper, this creates a key, and if errors are 
present they can employ a simple privacy amplification 
scheme to ensure security. First, they determine the error 
rate of Bob's data, and knowing this, they create a secret 
key that Eve has vanishingly small probability of know- 
ing simply by taking the EXCLUSIVE-OR of large blocks 
of the data. When using equiangular spherical codes, no 
such simple key distillation protocol is available. 
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